Back to top

Wascap Specification - Security

One of the many reasons people are excited about WebAssembly is the portability of a WebAssembly module. The instruction set and binary format will work anywhere, on any operating system and on any CPU (virtual or otherwise) provided there is a valid runtime host. This gives us an amazing opportunity to finally leverage write-once, run everywhere technology. However, there’s nothing inherent in the WebAssembly file format that addresses the concerns of security and provenance.

Wascap security starts with a JWT embedded into each guest WebAssembly module. Each JWT has a signature created using an ed25519 key. In the case of the Rust implementations, we’re using an encoding standard for ed25519 keys called nkeys, that make the public and private keys readable by humans with a custom prefix that gives us a clue as to which type of key we’re looking at.

The signature of the JWT lets us know that the JWT is valid. Within the JWT, the issuer and subject fields give us the identity and provenance of the module, and the hash field inside the JWT allows us to verify that the WebAssembly module has not been tampered with since it was signed.

JSON Web Token Fields

The following fields are used by Wascap security in signing and verifying signed modules
FieldDescription
issThe issuer of the token. This is the public key of the issuer, which will have the prefix of A, corresponding to the nkeys standard prefix for an account.
subThe subject of the token. This is the public key of the WebAssembly module itself, which will have the prefix of M, corresponding to the nkeys standard prefix for a module.
hashThe hash of the raw binary contents of the WebAssembly module as it appeared prior to signing. This hash can be used to verify that the WebAssembly module under scrutiny has not been modified since signing.
nbfThe not valid before field. Carries the same semantics as in regular JWTs.
tagsAn arbitrary (empty/missing allowed) array of strings containing metadata tags. Purpose of these tags is left up to the consumer.
capsAn array of strings containing a list of capabilities granted to this module. Can contain any combination of well-known and domain-specific capability IDs
iatThe issued at field. Carries the same semantics as in regular JWTs.
expiresThe expires field. Carries the same semantics as in regular JWTs.